new file mode 100644
@@ -0,0 +1,33 @@
+From 4c0658f56faf6d64382721a230ee57038035110a Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Fri, 9 Jan 2026 16:58:23 +0100
+Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing
+ (#5721)
+
+Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+
+CVE: CVE-2025-15275
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/7195402701ace7783753ef9424153eff48c9af44]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ fontforge/sfd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index cd661584b..4db9feebb 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -3724,6 +3724,10 @@ static ImageList *SFDGetImage(FILE *sfd) {
+ getint(sfd,&image_type);
+ getint(sfd,&bpl);
+ getint(sfd,&clutlen);
++ if ( clutlen < 0 || clutlen > 256 ) {
++ LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen);
++ return NULL;
++ }
+ gethex(sfd,&trans);
+ image = GImageCreate(image_type,width,height);
+ base = image->list_len==0?image->u.image:image->u.images[0];
@@ -23,6 +23,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
file://CVE-2024-25081_CVE-2024-25082.patch \
file://CVE-2025-15279-1.patch \
file://CVE-2025-15279-2.patch \
+ file://CVE-2025-15275.patch \
"
EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15275 Pick the patch that mentions this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../fontforge/fontforge/CVE-2025-15275.patch | 33 +++++++++++++++++++ .../fontforge/fontforge_20230101.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15275.patch